Automatically block IP who requests certain URL

One of our client's PHPBB (surprise, surprise) got hacked. I have taken it down by simply changing the directory name for now however the address example.com/forum/* is still getting hits from unsavory IPs. The server runs Apach on a CentOS box.

I am no expert but would like to automatically block any IP that accesses the directory from ALL http/s requests on the box. Is there a simple solution to this? I do have root shell access.

Solution 1:

This would be a job for Fail2Ban. You can use it to scan log files for particular expressions, and block using iptables based on those results.

fail2ban should be available in most distribution repositories, though you may have to add in optional repos.

Solution 2:

_{Put solution from OP}

Here's how:

1. SSH to your server
2. Because i'm in CentOS, cd /tmp
3. Because i'm in CentOS, rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm
4. yum install fail2ban

5. Edit /etc/fail2ban/jail.conf and add..

   [apache-banforum]
   enabled = true
   filter  = apache-banforum
   logpath = /usr/local/apache/domlogs/website/website.co.uk <-- change to your log file
   maxretry = 1
   bantime = 60000
   action = iptables-multiport[name=BanForum, port="http,https"]
   

6. Create a file apache-banforum.conf in /etc/fail2ban/filter.d/ with

   failregex = ^<HOST> -.*"(GET|POST).*/forum/.*$
   ignoreregex =
   

7. /etc/init.d/fail2ban start

Solution 3:

You can create an .htaccess file in the forum dirctory and put these the following lines may help to prtotect that url by accessing.

Order allow,deny Deny from all